progams find them fix them or exploit them Costin Raiciu Thanks to CORNET H2020 University Politehnica of Bucharest P4 by example route and encapsulate What packets the switch accepts and outputs ID: 1046000
Download Presentation The PPT/PDF document "Undefined behaviours in P4" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Undefined behaviours in P4 progams: find them, fix them or exploit them.Costin RaiciuThanks to CORNET H2020University Politehnica of Bucharest
2. P4 by example: route and encapsulateWhat packets the switch accepts and outputsMatch-action (M/A) tables - howa P4 switch can tranform packetsControl program – what sequence ofM/A tables is applied to a packet2Ingress PipelineTTL>0BuffersEgress Pipelineencap*1.2.3.45.6.7.8INOUTipv4_lpm10.0.0.0/8Ge0DEPARSERPARSER
3. P4 by example: route and encapsulateDeparsing uses the same parser specification.Common problem: forget to parse output packets.3Ingress PipelineTTL>0BuffersEgress Pipelineencap*1.2.3.45.6.7.8INOUTipv4_lpm10.0.0.0/8Ge0DEPARSERPARSERparser start { extract(eth); return select(eth.type){ 0x800 : parse_ipv4; default: ingress; }}parser parse_ipv4 { extract(ipv4); return ingress; }
4. P4 by example: route and encapsulate4Ingress PipelineTTL>0BuffersEgress Pipelineencap*1.2.3.45.6.7.8INOUTipv4_lpm10.0.0.0/8Ge0DEPARSERPARSERparser start { extract(eth); return select(eth.type){ 0x800 : parse_ipv4; default: ingress; }}parser parse_ipv4 { extract(ipv4); return select(ipv4.protocol){ 0x5E : parse_inner_ipv4; default: ingress; }}parser parse_inner_ipv4 { extract(inner_ipv4); return ingress; }}
5. P4 by example: route and encapsulatecontrol ingress(){ if (ipv4.TTL>0) apply(ipv4_lpm);}Reading unparsed header fields will returnundefined values5Ingress PipelineTTL>0BuffersEgress Pipelineencap*1.2.3.45.6.7.8INOUTipv4_lpm10.0.0.0/8Ge0DEPARSERPARSERparser start { extract(eth); return select(eth.type){ 0x800 : parse_ipv4; default: ingress; }}parser parse_ipv4 { extract(ipv4); return select(ipv4.protocol){ 0x5E : parse_inner_ipv4; default: ingress; }}parser parse_inner_ipv4 { extract(inner_ipv4); return ingress; }}
6. P4 by example: route and encapsulatecontrol ingress(){ if (valid(ipv4) and ipv4.TTL>0) apply(ipv4_lpm);}Non IPv4 packets will be sent directly to buffering resultingin undefined behavior because the egress_spec is not set6Ingress Pipelinevalid(ipv4)&&TTL>0BuffersEgress Pipelineencap*1.2.3.45.6.7.8INOUTipv4_lpm10.0.0.0/8Ge0DEPARSERPARSER
7. P4 by example: route and encapsulateRe-adding existing header fields: undefinedbehavior7Ingress Pipelinevalid(ipv4)&&TTL>0BuffersEgress Pipelineencap*1.2.3.45.6.7.8INOUTipv4_lpm10.0.0.0/8Ge0DEPARSERPARSER
8. parser start { extract(eth); return select(eth.type){ 0x800 : parse_ipv4; default: ingress; }}parser parse_ipv4 { extract(ipv4); return ingress; }Undefined behaviours in P4Accessing invalid headers.Valid headers not deparsed.Reviving dropped packets.Out-of-bounds array accesses.Overflows / underflows.Infinite loops.control ingress(){ if (ipv4.TTL>0) apply(ipv4_lpm);}apply(acl) //triggers action that drops packetapply(lpm) //triggers action that sets egress_spec to a valid value
9. Architecture-specific behaviourReparseabilityLive mutually exclusive headers (cf. parser)Ambiguous forwarding.Ingress pipelineegress pipelineparse?
10. Undefined behaviour is bad.What happens on actual targets?
11. Test to find outCraft buggy programsInject packets to trigger undefined behaviourObserve results on Tofino, P4NetFPGA,Bmv2 SimpleSwitch
12. Testing undefined header accessescontrol ingress() { if (!isValid(ipv4)) apply(m);}table m, default action copycopy (){ ether.etherType = ipv4.check; }Ethernet0x800ethertypeGood packetEthernet0x809Faulty packetIPv4src dstBmv2 Previous packets’ IPV4 checksum fieldP4NetFPGA etherType field set to 0.Tofino etherType field set to 0.
13. Testing undefined header accesses (2)control ingress() { if (isValid(Explore)) apply(m)}Table m default action copyALLcopyAll(){ explore.srcAddr = ip.srcAddr; //… explore.proto = 0x13}Ethernet0x800ethertypeGood packetEthernet0x809Faulty packetExploreIPv4src dstBmv2 Values from previous ipv4 headers.P4NetFPGA Explore fields set to zero.Tofino Explore unchanged except for proto field
14. Writing invalid headersif (isValid(explore){ ipv4.src= 0.0.0.0 //…}if (ipv4.src==0.0.0.0) eth.etherType = 0x1Ethernet0x800ethertypeGood packetEthernet0x809Faulty packetExploreIPv4src dstBmv2 Writes and read succeed.P4NetFPGA Writes and read succeed.Tofino Writes and read succeed, explore changed
15. LoopsWrite infinite loops using resubmit and clone egress to egress.Insert 1 packet to trigger each bug.P4NetFPGA Does not support recirculation.Tofino Clone egress-to-egress: DDoS on egress.Bmv2 +Resubmitted packets block ingress pipeline.
16. Resurrecting dropped packetsmark_to_drop()set_egress_specTofino OK: drop sets flag,must be cleared on purpose to resurrectP4NetFPGA Drop sets egress_spec to 0 Bmv2 Drop sets egress spec to 511
17. Can we exploit P4 programs?Assume strongest possible attackerDirectly connected to switchKnows both program and table rules.
18. Impossible attacks *Code injectionControl flow hijackingReturn oriented programmingPossible attacksData flow attacksDenial of servicePrivilege escalation
19. Some attacks we mountedSimpleNAT Bypass ACL with resurrected packets Denial of Service Privilege EscalationSwitch Privilege Escalation
20. Good copFinding P4 bugs before deployment
21. Verification value propositionInspect P4 program before deployment.Flag (all) bugs to programmer. Ensure deployed programs are bug-free.
22. A growing number of verification tools for P4p4-nod [MSR TR ] p4-pktgen [SOSR 2018]p4v [Sigcomm 2018]Vera [Sigcomm 2018]p4-assert [Conext 2018]af4 - ongoing work
23. A P4 program is only half a programFull functionality: P4 program + table rulesKey decision: how to deal with missing rules:Concrete rules (commands.txt) – Vera, p4pktgen. Assume all rules possible, have programmer to provide control-plane annotations - p4v, p4-assert.Derive control plane annotations automatically – af4.Burden on programmer to provide relevant snapshots; poor coverage, fast (seconds).Great coverage, burden on programmer to provide annotations, a bit slower (minutes).
24. Verification approachTranslate P4-14 program to another language with clearer semantics, or use P4-16.Instrument code to add „traps” that detect bugs.Find reachable bugs, report to programmer with example packets.GCL (p4v), SEFL (Symnet), C (p4-assert), P4-16 (p4-pktgen, af4)Symbolic execution or verification condition generation
25. Implicit bug checksP4 programP4 to SEFLCompilerP4 table entriesSymnet verification engine[Sigcomm’16]For each possible path:full instruction trace, header field values, constraints and, if needed, bug type25Vera [Sigcomm18]
26. Generating all header layouts26parser start { extract(eth); return select(eth.type){ 0x800 : parse_ipv4; default: ingress; }}parser parse_ipv4 { extract(ipv4); return select(ipv4.protocol){ 0x5E : parse_inner_ipv4; default: ingress; }}parser parse_inner_ipv4 { extract(inner_ipv4); return ingress; }}
27. Generating all header layoutsInner_IPv4IPv4Eth27parser start { extract(eth); return select(eth.type){ 0x800 : parse_ipv4; default: ingress; }}parser parse_ipv4 { extract(ipv4); return select(ipv4.protocol){ 0x5E : parse_inner_ipv4; default: ingress; }}parser parse_inner_ipv4 { extract(inner_ipv4); return ingress; }}
28. Generating all header layoutsInner_IPv4IPv4Eth28Eth
29. Generating all header layoutsInner_IPv4IPv4Eth29EthIPv4Eth
30. Generating all header layoutsInner_IPv4IPv4Eth30EthIPv4EthIPv4EthInner_IPv4
31. 31EthIPv4EthIPv4EthInner_IPv4Symbolic execution of P4 models
32. 32Symbolic execution of P4 modelsDstSrcEtherType**0x800SrcDstTTL...****EthernetIPv4IPv4Eth
33. 33control ingress(){ if (ipv4.TTL>0) apply(lpm);}Symbolic execution of P4 modelsIPv4EthEthernetIPv4DstSrcEtherType**0x800SrcDstTTL...****
34. 34P414control ingress(){ if (ipv4.TTL>0) apply(lpm);}Symbolic execution of P4 models
35. 35‘ingress’:If(Constrain(‘ipv4.TTL’>0)) Forward(‘table.lpm’)else Forward(‘buffer.in’)SEFLP414control ingress(){ if (ipv4.TTL>0) apply(lpm);}Symbolic execution of P4 models
36. 36‘ingress’:If(Constrain(‘ipv4.TTL’>0)) Forward(‘table.lpm’)else Forward(‘buffer.in’)SEFLSymbolic execution of P4 modelsEthernetIPv4DstSrcEtherType**0x800SrcDstTTL...****
37. 37‘ingress’:If(Constrain(‘ipv4.TTL’>0)) Forward(‘table.lpm’)else Forward(‘buffer.in’)SEFLSymbolic execution of P4 modelsEthernetIPv4DstSrcEtherType**0x800SrcDstTTL...**>0*DstSrcEtherType**0x800SrcDstTTL...**==0*DstSrcEtherType**0x800SrcDstTTL...****
38. ‘ingress’:If(Constrain(‘ipv4.TTL’>0)) Forward(‘table.lpm’)else Forward(‘buffer.in’)SEFLSymbolic execution of P4 models38EthernetIPv4DstSrcEtherType**0x800SrcDstTTL...**>0*DstSrcEtherType**0x800SrcDstTTL...**==0*DstSrcEtherType**0x800SrcDstTTL...****Apply LPM
39. ‘ingress’:If(Constrain(‘ipv4.TTL’>0)) Forward(‘table.lpm’)else Forward(‘buffer.in’)SEFLSymbolic execution of P4 models39EthernetIPv4DstSrcEtherType**0x800SrcDstTTL...**>0*DstSrcEtherType**0x800SrcDstTTL...**==0*DstSrcEtherType**0x800SrcDstTTL...****Goto buffer in
40. Vera evaluation summary
41. Vera works great for concrete table rules, but the rules are only known at runtime.Apply Vera at runtime, catching rules before they are inserted and re-check the entire program.Assume all table entries are possible – symbolic table entries41Too slow!Repeatedly finds same bugs, does not scale
42. p4v [Sigcomm 18]P4 programControl-plane interfaceGCL ProgramGCL (Annotated, Optimized)Verification conditionZ3FAILEDcounterexamplePASSEDassume action(tunnel_decap) == decap_6in4 iff action(tunnel_term) == term_6in4
43. p4v evaluationswitch.p4 ~ 2 minutesControl plane interface: 758LOCFound 10 bugs: 2 parser bugs, 4 action flaws, 3 infeasible control plane, 1 invalid table read.
44. p4v performance
45. p4v vs. VeraCatches fewer bug types, e.g. no loops.Covers all possible dataplanesScales much better, but requires manual annotations700 annotations for 6KLOC program
46. af4 – annotation-free verification&repairAutomatically infer annotations for table rulesBackend for the p4c compiler (11KLOC)Inhibit many (ideally all) unsafe behavioursDo not prevent any safe behavioursNo manual annotations required
47. Key ideaFind table rules that always lead to faulty behaviourtable nat { actions={ drop();//... nat_hit_int_to_ext(); } key = { //... hdr.ipv4.isValid(): exact hdr.ipv4.srcAddr : ternary} } isValid hdr.ipv4.srcAddr action010.10.10.10, 255/8dropALL PACKETS TRIGGER BUG0*, 255/8*ALL PACKETS TRIGGER BUG0*, != 0*ALL PACKETS TRIGGER BUGGOAL: AUTOMATICALLY DERIVE PREDICATES TO FILTER BAD RULES
48. Transform &instrumentP4 programaf4 operation summary
49. Generatereachability conditionsTransform &instrumentP4 programExpand table callsaf4 operation summary
50. SAT(reach(bug))Find reachablebugsGeneratereachability conditionsTransform &instrumentP4 programExpand table callsaf4 operation summary
51. SAT(reach(bug))Infer predicates &add missing keysFind reachablebugsGeneratereachability conditionsTransform &instrumentP4 programFor each bug, find assert point andExpand table callsaf4 operation summary
52. SAT(reach(bug))Infer predicates &add missing keysFind reachablebugsGeneratereachability conditionsTransform &instrumentP4 programFor each bug, find assert point andExpand table callsaf4 operation summary
53. SAT(reach(bug))Output controller assertionsOutput fixed P4 programInfer predicates &add missing keysFind reachablebugsGeneratereachability conditionsTransform &instrumentP4 programFor each bug, find assert point andExpand table callsaf4 operation summary
54. Expanding NAT table callif (pcn.key_ipv4_valid==0 && pcn.key_ipv4_src_addr_mask!=0) bug();56789
55. ingresspcn = havoc<flowdef_nat>;pcn.reach = 1;ASSERT POINTpcn.hit==1key_matchtruefalseBUGtruepcn.action_run == dropACCEPTpcn.action_run== nat_hit_int_to_extfalsemeta.do_forward=1meta.ipv4_sa = … truemark_to_drop()truefalsefalsekey_validtruetruefalseBuild control flow graph
56. ingresstrueASSERT POINTtruepcn.hit==truepcn.hit=true &&key_matches &&! key_is_validtruepcn.hit==true &&key_matches && key_is_validpcn.hit==true &&key_matches && key_is_valid &&pcn.action_run==droppcn.hit==false ||(pcn.hit==true &&key_matches && key_is_valid &&pcn.action_run==drop)…Generating verification condition
57. AlgorithmInputs: OK – good runs – weakest precondition for accept.BUG – bad runs – weakest precondition for bug.P – controlled variables – table keys and actionCandidate keysOutput: constraints for controlled variables.
58. Infer: Automatically infering predicatesOKBUGGet modelIntersect?NOUnsat coreP1YESP1Get modelP2P2Get modelAdd KeysP3P3
59. af4 at workswitch.p4 - 6KLOC ,372 keys, 129 tablesRuntime: 11 minutes.Reachable bugs before Infer: 164Reachable bugs after Infer: 86Reachable bugs after Infer+Fix: 044 keys (isValid) added to 17 tables.
60. Example bugNeed to add key isValid(hdr.fabric_header)Need to add key isValid(hdr.fabric_header_unicast)
61. Limitations of af4Does not support all types of bugse.g egress spec not set.Assumes tables have a fixed no-op default entryIt may not always manage to remove all bugs.
62. ConclusionsEasy to code bugs in P4 programsVerification before deployment is crucial, or be pwnedWe can automatically find all instances of certain types of bugs in P4 programsVera, p4-pktgen: concrete snapshotsp4v: all paths, requires annotations.af4: all snapshots, generates annotations, automatically fixes certain types of bugs.
63. Backup slides
64. Simple NAT bugsAttack 1. Bypassing ACL.Controller marks packets from attacker port to be dropped in if_info tableAttacker guesses mapping in NAT table.Packet is resurrected.SimpleNatInternalExternalAttacker
65. Simple NAT bugsAttack 2. Denial of ServiceAttacker’s dropped packet misses in NAT tableController inserts rule for flowFlow table overflowsSimpleNatInternalExternalAttacker
66. Simple NAT bugsAttack 3. Privilege escalationAttacker spoofs controller packetCan do whatever it wants.SimpleNatInternalExternalAttacker
67. switch.p4Much better engineered than simple NAT.Privilege escalation attack still possibleCraft CPU packet with proper bypass flagsInject IPv4 packet that bypasses the ACL.